Real-World Snapshots vs. Theory: Questioning the t-Probing Security Model

TL;DR

This paper introduces Laser Logic State Imaging (LLSI), a contactless laser technique that captures hardware states at any clock cycle, challenging the assumptions of existing t-probing security models in side-channel attack defenses.

Contribution

The work presents a novel laser-assisted SCA method that breaches the t-probing security model by enabling unlimited contactless probing and state extraction from hardware implementations.

Findings

Successfully extracted full AES keys using LLSI in practical scenarios.

Demonstrated the ability to bypass the t-probing security model assumptions.

Validated the attack on masked hardware implementations with different register knowledge scenarios.

Abstract

Due to its sound theoretical basis and practical efficiency, masking has become the most prominent countermeasure to protect cryptographic implementations against physical side-channel attacks (SCAs). The core idea of masking is to randomly split every sensitive intermediate variable during computation into at least t+1 shares, where t denotes the maximum number of shares that are allowed to be observed by an adversary without learning any sensitive information. In other words, it is assumed that the adversary is bounded either by the possessed number of probes (e.g., microprobe needles) or by the order of statistical analyses while conducting higher-order SCA attacks (e.g., differential power analysis). Such bounded models are employed to prove the SCA security of the corresponding implementations. Consequently, it is believed that given a sufficiently large number of shares, the vast majority of known SCA attacks are mitigated. In this work, we present a novel laser-assisted SCA technique, called Laser Logic State Imaging (LLSI), which offers an unlimited number of contactless probes, and therefore, violates the probing security model assumption. This technique enables us to take snapshots of hardware implementations, i.e., extract the logical state of all registers at any arbitrary clock cycle with a single measurement. To validate this, we mount our attack on masked AES hardware implementations and practically demonstrate the extraction of the full-length key in two different scenarios. First, we assume that the location of the registers (key and/or state) is known, and hence, their content can be directly read by a single snapshot. Second, we consider an implementation with unknown register locations, where we make use of multiple snapshots and a SAT solver to reveal the secrets.